Note: The Department of Education has since issued an update on this incident, claiming that Ellucian’s software flaw was not implicated in any of the compromised systems it first reported. Read more here.
Hackers compromised student information systems at 62 universities through a vulnerability in a common software platform, the Department of Education has warned in a security alert.
The cyberattacks exploited a security flaw in the software company Ellucian’s Banner platform, the alert says, which allowed hackers to generate masses of fake student accounts and potentially access sensitive data. According to the Education Department, which issued its alert last week, hackers had been drawing up lists of institutions to target via the vulnerability, which was made public earlier this year.
The Banner platform, which Ellucian says on its website is used by more than 1,500 universities, manages a wealth of student and administrative data — directing everything from class registration to payroll processing.
“Victimized institutions also have indicated that their implementation of the Banner system affects or influences all aspects of academic administration, including the administration of student financial aid,” the alert says.
In December 2018, a security researcher discovered a flaw in the Banner platform that allowed remote, unauthorized access to user accounts, but heard no response from Ellucian for months, according to the researcher’s disclosure. Ellucian eventually released a patch for the vulnerability in May, but according to the Department of Education, many institutions have been slow to upgrade their systems.
Ellucian could not be reached for comment, but the company told press last week that the Department of Education has made a mistake.
“The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products,” it said.
The alert says that hackers used the Ellucian vulnerability as a backdoor into institutions’ admissions and enrollment systems, where they generated fraudulent accounts numbering in the thousands — including 600 generated in one 24-hour period.
Ellucian replied that hackers can employ bots on poorly protected admissions portals and get the same result, regardless of the presence of other security vulnerabilities.
The far-reaching attacks underscore the dangers that cyberattacks can pose for college and universities — which must govern a huge volume of data, often armed only with poorly-funded IT departments.
The Education Department urged universities to upgrade to the patched version of Ellucian, noting that the fraudulent accounts “appear to be leveraged almost immediately for criminal activity.” It did not specify what type of criminal activity and did not list any affected institutions.